Remove sudoers using script

Solution 1:

Here's an alternate method. Lines are not added or deleted from the sudoers file. The line giving admin root rights is commented out and we create a separate file with mac_admin's rights in the directory /etc/sudoers.d. And as a bonus, the original sudoers file is backed up.

printf '%s\n' 'mac_admin  ALL=(ALL:ALL) ALL' > /tmp/99-macadmin

visudo -c -f /tmp/99-macadmin &&
install -o 0 -g 0 -m 440 /tmp/99-macadmin /etc/sudoers.d

sed $'s/%admin\t/# %admin/' /etc/sudoers > /tmp/sudoers

visudo -c -f /tmp/sudoers &&
install -B .orig -b -o 0 -g 0 -m 440 /tmp/sudoers /etc/sudoers

rm /tmp/sudoers /tmp/99-macadmin

Solution 2:

For what it's worth, you can use

printf '/^%%admin ALL = (ALL) ALL$/d\nw\nq\n' | ed -s sudoers

or, if you want to catch the line independent of the number of space characters, tabs etc used

printf '/^%%admin[[:blank:]]*ALL[[:blank:]]*=[[:blank:]]*(ALL)[[:blank:]]*ALL$/d\nw\nq\n' | ed sudoers 

in bash to remove the admin line (the double %% are required to prevent printf from interpreting them as formatting instructions).

The usual caveats about editing sudoers without relying on the syntax checks done by visudo apply. So it might be safer to run the following, or at least have another root shell running so you can fix any issues without getting locked out)

cp /etc/sudoers /tmp
chmod +w /tmp/sudoers
printf '/^%%admin[[:blank:]]*ALL[[:blank:]]*=[[:blank:]]*(ALL)[[:blank:]]*ALL$/d\nw\nq\n' \
    | ed /tmp/sudoers
if visudo -c -f /tmp/sudoers; then
    echo "All well"
    mv -f /tmp/sudoers /etc/sudoers
    chmod -w /etc/sudoers
else
    echo "Uups, something went wrong"
fi

(Script untested, because I don't want to mess with my sudoers file)